Add ability to configure @RequireApiKey scopes per deployment #45
Assignees
Labels
Comments
sbearcsiro
added a commit
that referenced
this issue
Jul 30, 2024
- Add reading @RequireApiKey required scopes from config - Add @RequireApiKey customisable authorisation - Add making the parsed access token JWT available to applications via request attribute - Add support for restricting audience values globally - Add support for prohibited claims - Add methods to allow client applications to clear user details caches
sbearcsiro
added a commit
that referenced
this issue
Jul 31, 2024
- Add reading @RequireApiKey required scopes from config - Add @RequireApiKey customisable authorisation - Add making the parsed access token JWT available to applications via request attribute - Add support for restricting audience values globally - Add support for prohibited claims - Add methods to allow client applications to clear user details caches
sbearcsiro
added a commit
that referenced
this issue
Sep 16, 2024
Release 6.3.0: - Add ability to configure @RequireApiKey scopes per deployment #45
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
At the moment using @RequireApiKey with custom scopes for permissions means the scope names must be hard coded in the source code. This is an issue if running two instances of a distributed application that shouldn't talk to each other against the same auth system, such as ecodata and ecodata-test.
Add a method to configure @RequireApiKey scopes from configuration properties.
Additionally, instate the ability to limit callers to tokens that bear a particular
audienceclaim. Audience validation is supported in the Nimbus JOSE + JWTDefaultJWTClaimsVerifierso this can just be plumbed in. Also investigate adding per @RequireApiKey audience support, audience value should not be hard coded.The text was updated successfully, but these errors were encountered: